Submission Details

#51 The decimals() function isn't included in the ERC-20 specification


Low Risk

Relevant GitHub Links


This report identifies a risk due to the inconsistent implementation of the decimals() function, not originally part of the ERC-20 standard but later added as an optional extension.

Vulnerability Details

Several contracts, such as GMXOracle.sol, GMXManager.sol, and GMXReader.sol, assume the existence and correct return of the decimals() function. This assumption is risky since not all ERC20 tokens include the decimals() function.


While the decimals() function isn't originally included in the ERC-20 standard, it was introduced later as an optional add-on. Given this, not all valid ERC20 tokens implement this interface.

Therefore, indiscriminately casting all tokens to this interface and subsequently invoking this function can be risky.

Tools Used

  • Manual code review


  • Implement a default or error handling for cases where decimals() is absent.
Comments and Activity

Lead Judging Started

Hans Lead Judge 6 months ago
Submission Judgement Published
Assigned finding tags:

Unsafe call to decimals()